NordVPN Got Hacked and Lied About It. Here is the Proof.

8 min read
nordvpn vpn
Table of Contents

NordVPN was hacked in March 2018. They discovered it in 2019. They told you in October 2019, and only because someone exposed them on Twitter.

I actually respect VPN technology. It’s brilliant for bypassing censorship and geo-restrictions. What I don’t respect is, in my opinion, a “security” company hiding a breach for 18 months while continuing to take your money for “military-grade protection.”

But here’s what’s worse: They quietly edited their legal stance from “will NOT comply with law enforcement” to “will ONLY comply if legal.” Complete 180. No announcement. Just hoped you wouldn’t notice.

They also merged with Surfshark, their biggest “competitor.” Now when you comparison shop, in my opinion, you’re just choosing between two faces of the same company.

Let’s talk about what else NordVPN isn’t telling you.

30-Second Truth Bomb

  • NordVPN hacked in 2018, hid it for 18+ months
  • Only admitted breach after public exposure on Twitter (more serious than the hack itself IMO)
  • Quietly edited “won’t comply” to “will comply” with law enforcement
  • Merged with Surfshark - fake competition with themselves
  • Auto-renewal scams at 3x the signup price
🔥 r/technology Posted by u/Sumit316 72mo ago
↑ 1774

NordVPN finally admits it was hacked

💬 311 comments 🏆 1774 upvotes 📈 93% upvoted 🤬 Rant-o-Meter: High
Top Comments (5)
u/AlphaTangoFoxtrt ↑ 265 72mo ago
So one exit node, in Finland, was compromised, and they severed ties with it.

Yawn.

Even if it was more I don't use Nord to hide from hackers. I use it to hide my torrenting... of completely legal free and open source data of course....
u/sokos ↑ 53 72mo ago
Not to mention it was a third party undisclosed software. Ie. They had zero way of knowing it was a vulnerability
u/NitnoYT ↑ 83 72mo ago
But my favorite youtubers recommended them T_T
View all 311 comments on Reddit →

The Problem: A Breach, a Cover-Up, and a Monopoly

Evidence 1: The 2018 Breach They “Forgot” to Mention

In March 2018, a hacker gained root access to one of NordVPN’s servers in Finland. This wasn’t a minor issue; the attacker had access to the server’s traffic.

But NordVPN didn’t tell anyone about this until October 2019, over 18 months later, and only after the details were leaked on Twitter.

A company that sells “trust” hid a major security failure. When they finally admitted it, they blamed a “third-party data center” for a “poor configuration.” Real talk: if you’re a security company, you don’t get to pass the buck. You’re responsible for your entire infrastructure. End of story.

Evidence 2: Downplaying the Damage

NordVPN’s initial response was to downplay the severity, calling it an “isolated security breach” and saying “hack is too powerful a word.” They claimed no user data was compromised, but according to security analysis, the attacker had access to unencrypted traffic. That means if you were connected to that server, they could potentially see every site you visited.

They also lost the server’s TLS keys, which could have been used to create a fake NordVPN website to phish users. They claimed this was a “slim” chance, but it’s a risk that should have been disclosed immediately.

Evidence 3: The Tesonet Deception

For years, NordVPN and Surfshark were presented as fierce competitors. It turns out they allegedly grew up in the same house. Both companies were reportedly launched out of Tesonet, a Lithuanian business incubator, a fact that was only revealed after a Lithuanian news site broke the story.

They apparently share a common origin, yet this was never disclosed until journalists dug it up. In my opinion, it’s another example of a concerning lack of transparency in an industry that sells trust as its main product.

Evidence 4: The Nord Security Monopoly

Just like Kape, NordVPN’s parent company, Nord Security, is buying up the competition. In 2022, they officially merged with Surfshark. They also own AtlasVPN and the enterprise service NordLayer.

This means three of the biggest names in the VPN space are now under one roof. Less competition is always bad for consumers. It leads to higher prices, less innovation, and more corporate bullshit.

Evidence 5: Dark Patterns and Deceptive Billing

On top of the security issues, there are countless user complaints about NordVPN’s billing practices.

🔥 r/vpnreviews Posted by u/ghunslynger 14mo ago
↑ 104

NordVPN is a scam

I signed up for a NordVPN account last August for a one year subscription. They charged me $68 on August 20, 2023. I was reviewing my visa statement and noticed they charged me $219 on August 6 (2 weeks prior to my one year subscription expiring). I only had signed up for the basic service and the $219 did not include any additional features. I’m disgusted by this type of behaviour of companies trying to sneak charges past you in the hopes you don’t check your statements. This is fraud. I have c...
💬 85 comments 🏆 104 upvotes 📈 92% upvoted 🤬 Rant-o-Meter: High
Top Comments (5)
u/AutisticTurnip ↑ 27 14mo ago
Yup most do this they will offer something like 90% off the first year and most people forget about it and they get these huge charges.

Get something like mullvad or proton. Proton has a free tier if you really don’t want to risk losing any more money FYI.
u/Starwave1984 ↑ 9 14mo ago
I mean to be fair they tell you multiple times that this will happen and their excuse is "for your convenience" to ensure "there are no gaps in your protection" or something along those lines, you can see that in your account and before making the purchase so it wouldn't really come off as a surprise, it still feels really wrong imo and shouldn't be like that. Try to dispute the charge but if you ...
u/djwilliams100 ↑ 13 14mo ago
Thanks for the reminder to turn off auto renew.
u/Trip_2 ↑ 5 14mo ago
First thing to do after signing up is to uncheck auto renewal and remove your credit card info.
u/[deleted] ↑ 11 14mo ago
it's not a scam. most subscriptions trick you to fall into this.
View all 85 comments on Reddit →

A quick search on Reddit reveals a pattern of users getting hit with unexpected auto-renewals at the full, non-promotional rate. They make it easy to sign up for a cheap 2-year plan, but then bury the auto-renewal at a much higher price in the fine print. It’s a classic dark pattern designed to trick you.

Evidence 6: The Panama Jurisdiction Change

This is the real kicker. For years, NordVPN’s big selling point was its Panama jurisdiction. They claimed they wouldn’t comply with law enforcement requests. Here’s what their blog post said in 2017:

“NordVPN operates under the jurisdiction of Panama and will not comply with requests from foreign governments and law enforcement agencies.”

Sounds great, right? Well, they quietly edited that post. Here’s what it says now:

“NordVPN operates under the jurisdiction of Panama and will only comply with requests from foreign governments and law enforcement agencies if these requests are delivered according to laws and regulations.”

That’s a complete 180. In my opinion, it seems like they changed their legal stance without properly notifying users. I believe their entire “we’re untouchable in Panama” marketing pitch is misleading, based on this discussion.

In my view, they’re just as vulnerable to government pressure as any VPN based in the US.

But to be fair, this isn’t unexpected, nor unique to just NordVPN. Wanting to dissociate from bad actors is obvious.

How They Get Away With It: The Marketing Machine

NordVPN spends a fortune on sponsorships and affiliate marketing to control the narrative. They pay YouTubers and bloggers to tell you they’re the best, and those influencers conveniently forget to mention the 2018 breach or the lack of transparency.

In my opinion, they’re selling you a feeling of security, not the real thing. I believe they’re more of a marketing company that happens to sell a VPN.

🔍 Don’t Trust Me? Verify This Yourself

Want to see the raw data behind my claims? Check out the data spreadsheets - technical details, ownership records, pricing, and more.

  1. Google “NordVPN 2018 breach Finland server”
  2. Search “NordVPN Twitter October 2019 breach”
  3. Use Wayback Machine on NordVPN’s Panama jurisdiction claims
  4. Look up “Nord Security Surfshark merger 2022”
  5. Search Reddit for “NordVPN auto renewal scam”

The Alternative: A VPN That’s Actually Transparent

Look, if you want to trust a company that hides a major breach for over a year, go ahead. Keep using NordVPN.

But I’m sticking with Mullvad VPN. Why? Because they haven’t been caught lying to their users. They’re independently audited, they don’t have a shady history, and they don’t have an affiliate program, so you know their recommendations are legit.

Here’s my affiliate link: [I still don’t have one. Go to their site and sign up. It’s that simple.]

🧪 Test This Yourself

Verify NordVPN’s deception:

  • Check server security: ipleak.net (notice the datacenter IPs?)
  • Test their “no logs”: Search “NordVPN + subpoena + compliance”
  • Find the merger: “Surfshark Nord Security same company”
  • Check billing complaints: “NordVPN unexpected charge Reddit”
  • Compare their old vs new legal stance on Wayback Machine

Why I Still Recommend Them Anyway (And I Know You’re Confused)

Yeah, I just spent 2,000 words criticizing NordVPN. And now I’m going to rank them #3 in my VPN recommendations. Let me explain why.

They’re Like the Ex Who Actually Went to Therapy

What They Did Wrong (2018-2019):

  • Hacked in March 2018, hid it until October 2019
  • Only admitted when exposed on Twitter
  • Downplayed severity (“hack is too powerful a word”)
  • Quietly changed Panama jurisdiction stance
  • Merged with Surfshark without proper disclosure

What They’ve Done Since (2019-2025):

  • Switched to 100% RAM-only colocated servers
  • Independent audits by Deloitte, PwC (public reports available)
  • Published transparency reports showing law enforcement requests
  • Open-sourced Linux/Android apps for verification
  • Implemented diskless infrastructure (data wiped on reboot)
  • No third-party datacenters (no repeat of 2018 vulnerability)

The Honest Assessment

Do I trust them 100%? Absolutely not. They broke trust and spent 18 months lying about it.

Do I believe they’ve made real improvements? Yes. The technical changes are verifiable and independently audited.

Would I recommend them to a whistleblower? Absolutely not. Use Mullvad.

Would I recommend them for Netflix geo-unblocking? Yeah, actually. They’re reliable, fast, and the post-breach security improvements are real.

My Ranking (Based on Use Case)

Your Threat ModelMy RecommendationWhy
Casual streamingNordVPN or SurfsharkFast, reliable, works on everything
Actual privacyMullvadNo accounts, cash accepted, raid-tested
Journalist/ActivistProtonVPNSwiss law protection, proven track record
Budget streamingSurfsharkSame company as Nord, cheaper, worse UI

The Redemption Asterisk

NordVPN 2025 is measurably different from NordVPN 2018:

  • Then: Third-party datacenters with insecure configurations

  • Now: Colocated RAM-only servers they physically control

  • Then: “We weren’t hacked” (lies)

  • Now: Published transparency reports and audit results

  • Then: “Will NOT comply with law enforcement”

  • Now: “Will comply if legally required” (honest, at least)

The bottom line: They’re a reformed liar in an industry full of undiscovered liars.

I’d rather trust the company that got caught, got exposed, and was forced to improve than the 47 other VPNs who probably have similar skeletons we just haven’t found yet.

Why This Doesn’t Erase the Original Sin

The 2018 breach cover-up was worse than the breach itself. Security failures happen. Hiding them for 18 months while taking money for “military-grade protection” is fraud territory in my opinion.

But here’s the reality: If I only recommended VPNs with perfect track records, I’d recommend one VPN (Mullvad). And most of you won’t use Mullvad because:

  • No account system confuses people
  • Fewer streaming servers
  • No slick marketing
  • No affiliate program pushing it

So I’m giving you the second-best option: A VPN that failed dramatically, got caught, and made real improvements.

My affiliate links:

  • Mullvad - Pays me $0, actual privacy
  • ProtonVPN - Pays me $25, legitimate track record
  • NordVPN - Pays me $25, good for casual use with asterisks

Notice I ranked the $0 option #1. That’s integrity.

Bottom Line

A security company’s most valuable asset is trust. NordVPN broke that trust when they hid their 2018 breach in 2018-2019.

But they’ve also spent five years rebuilding that trust with verifiable technical improvements.

Use them for: Streaming, casual privacy, bypassing geo-blocks Don’t use them for: Journalism, activism, actual threat models

Know what you’re buying. They’re not privacy heroes. They’re competent at the thing most people actually want VPNs for.

The Angry Dev

Do NOT trust review sites. Affiliate commissions dictate their rankings. This is an affiliate site too, but I’m being honest about what I earn and I rank by quality instead of payout. Even if it means I get paid $0. Read about my approach and why I stopped bullshitting. Here’s the raw data so you can fact-check everything.

VPNs | Hosting | Storage | Tools

Related Posts